kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-11-03 20:38:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
03ceef35ac9572e64a596d0094b800e25fda7e0d
asterisk/SECURITY
Mark Spencer b1cee61174 Fix various documentation issues (bugs #5464-5467) 
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@6826 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2005-10-18 21:06:38 +00:00

68 lines
2.5 KiB
Plaintext
Executable File
Raw Blame History

==== Security Notes with Asterisk ====
PLEASE READ THE FOLLOWING IMPORTANT SECURITY RELATED INFORMATION.
IMPROPER CONFIGURATION OF ASTERISK COULD ALLOW UNAUTHORIZED USE OF YOUR
FACILITIES, POTENTIALLY INCURRING SUBSTANTIAL CHARGES.
Asterisk security involves both network security (encryption, authentication)
as well as dialplan security (authorization - who can access services in
your pbx). If you are setting up Asterisk in production use, please make
sure you understand the issues involved.
* NETWORK SECURITY
If you install Asterisk and use the "make samples" command to install
a demonstration configuration, Asterisk will open a few ports for accepting
VoIP calls. Check the channel configuration files for the ports and IP addresses.
If you enable the manager interface in manager.conf, please make sure that
you access manager in a safe environment or protect it with SSH or other
VPN solutions.
For all TCP/IP connections in Asterisk, you can set ACL lists that
will permit or deny network access to Asterisk services. Please check
the "permit" and "deny" configuration options in manager.conf and
the VoIP channel configurations - i.e. sip.conf and iax.conf.
The IAX2 protocol supports strong RSA key authentication as well as
AES encryption of voice and signalling. The SIP channel does not
support encryption in this version of Asterisk.
* DIALPLAN SECURITY
First and foremost remember this:
USE THE EXTENSION CONTEXTS TO ISOLATE OUTGOING OR TOLL SERVICES FROM ANY
INCOMING CONNECTIONS.
You should consider that if any channel, incoming line, etc can enter an
extension context that it has the capability of accessing any extension
within that context.
Therefore, you should NOT allow access to outgoing or toll services in
contexts that are accessible (especially without a password) from incoming
channels, be they IAX channels, FX or other trunks, or even untrusted
stations within you network. In particular, never ever put outgoing toll
services in the "default" context. To make things easier, you can include
the "default" context within other private contexts by using:
include => default
in the appropriate section. A well designed PBX might look like this:
[longdistance]
exten => _91NXXNXXXXXX,1,Dial(Zap/g2/${EXTEN:1})
include => local
[local]
exten => _9NXXNXXX,1,Dial(Zap/g2/${EXTEN:1})
include => default
[default]
exten => 6123,Dial(Zap/1)
DON'T FORGET TO TAKE THE DEMO CONTEXT OUT OF YOUR DEFAULT CONTEXT. There
isn't really a security reason, it just will keep people from wanting to
play with your Asterisk setup remotely.
Reference in New Issue View Git Blame Copy Permalink